Revocation Systems with Very Small Private Keys

Allison LewkoUniversity of Texas at Austin

alewko@cs.utexas.edu

Amit SahaiUCLA

sahai@cs.ucla.edu

Brent WatersUniversity of Texas at Austinbwaters@cs.utexas.edu

Abstract

In this work, we design a method for creating public key broadcast encryption systems.Our main technical innovation is based on a new “two equation” technique for revokingusers. This technique results in two key contributions:

First, our new scheme has ciphertext size overhead O(r), where r is the number of revokedusers, and the size of public and private keys is only a constant number of group elementsfrom an elliptic-curve group of prime order. In addition, the public key allows us to encryptto an unbounded number of users. Our system is the first to achieve such parameters. Wegive two versions of our scheme: a simpler version which we prove to be selectively secure inthe standard model under a new, but non-interactive assumption, and another version thatemploys the new dual system encryption technique of Waters to obtain adaptive securityunder the d-BDH and decisional Linear assumptions.

Second, we show that our techniques can be used to realize Attribute-Based Encryption(ABE) systems with non-monotonic access formulas, where our key storage is significantlymore efficient than previous solutions. This result is also proven selectively secure in thestandard model under our new non-interactive assumption.

We believe that our new technique will be of use elsewhere as well.

1 Introduction

In a broadcast encryption system [20], a broadcaster encrypts a message such that a particularset S of devices can decrypt the message sent over a broadcast channel. Broadcast systemshave a wide range of applications including file systems, group communication, DVD contentdistribution, and satellite subscription services. In many of these applications, the notion ofrevocation is important. For example, if a DVD-player’s key material is leaked on the Internet,one might want to revoke it from decrypting future disks. In another example, consider a groupof nodes communicating sensitive control and sensor information over a wireless network; if anyof these nodes becomes compromised, we’d like to revoke them from all future broadcasts.

In this work, we design new broadcast encryption schemes, and we focus on two importantcontributions.

Revocation Systems with Small Key Sizes. We create public key revocation encryptionsystems with small cryptographic private and public keys. Our systems have two importantfeatures relating respectively to public and private key size.

First, public keys in our two systems are short (just 5 group elements and 12 group elementsrespectively) and enable a user to create a ciphertext that revokes an unbounded number ofusers. This is in contrast to other systems [10, 34, 18] where the public parameters bound thenumber of users in the system and must be updated to allow more users.

Second, the cryptographic key material that must be stored securely on the receiving devicesis small. Keeping the size of private key storage as low as possible is important as cryptographickeys will often be stored in tamper-resistant memory, which is more costly. This can be especiallycritical in small devices such as sensor nodes, where maintaining low device cost is particularlycrucial. Device keys in our systems are only a small constant number of group elements (infact, just 3 group elements and 5 group elements respectively) from an elliptic-curve group ofprime order. Furthermore, our schemes are public-key stateless broadcast encryption schemes1,and we work with stateless receivers.

We achieve this small device key size without compromising on other critical parameterssuch as ciphertext length – our ciphertexts will consist of just O(r) group elements, where r isthe number of revoked users. This is the same behavior as the previously best-known schemesfor revocation. We also do not compromise on security: we obtain adaptive security in thestandard model under the well-established d-BDH and decisional Linear assumptions.

Attribute-Based Encryption with Non-Monotonic Formulas. Our second key contri-bution is that we show how our techniques can be applied to achieving efficient Attribute-BasedEncryption (ABE) [37] schemes with non-monotonic access formulas. Ostrovsky, Sahai, andWaters [35] showed a connection between revocation schemes and achieving non-monotonic ac-cess formulas in ABE; to negate an attribute in an access formula one applies a revocationscheme using the attribute as an identity to be revoked. Ostrovsky, Sahai, and Waters givea particular instance by adapting the revocation scheme of Naor and Pinkas [34] to the ABEscheme of Goyal et. al [25]. The primary drawback of their scheme is that the private key sizeof their scheme blows up by a multiplicative factor of log n, where n is the maximum numberof attributes. More precisely, once the DeMorgan’s law transformation is made, each negatedattribute in the private key will have O(log n) group elements. By adapting our new revocationtechniques to the Goyal et. al ABE scheme, we get that each negated attribute will only take

1And in fact, our schemes are identity-based: each device’s private key can be based on the device’s natural“identity,” which could be an arbitrary string like a serial number or even an email address. In most previousschemes, every device had to be assigned a specific number between 1 and n.

1

two group elements. In practice, for many applications the private key storage will decrease byan order of magnitude.

Our Techniques. The primary challenge in constructing broadcast encryption schemes is toachieve full collusion resilience – to make sure that if all the revoked users combine their keymaterial, they still cannot decrypt ciphertexts.

In order to understand our techniques, it is useful to review the Naor-Pinkas [34] revocationscheme. Naor and Pinkas additionally show how to combine their scheme with traitor-tracing,but we will only be concerned with revocation. In their system, in order to revoke r users2 adegree r polynomial q(x) is chosen and O(r) group elements are published allowing anyone tocompute gq(x) for generator g in group G of order p. A private key for user i consists of q(i). Toencrypt, a user selects a revoked set of users S and a secret exponent s ∈ Zp. The ciphertextconsists of gs along with gsq(j) for each revoked user j in the set S. If an attacker consists ofjust users from the set S, he will be unable to produce any new points of the polynomial s ·q(x).From a high level view, this system revokes by giving revoked users redundant information. Thesystem provides collusion resistance by defining a “global” polynomial across the whole system.Unfortunately, this structure inherently locks the system to a predetermined maximum numberof revoked users and a long public key.

In order to avoid these limitations, we propose a new methodology for building revocationsystems. Like the Naor-Pinkas system, we use the idea of revocation by redundant equations.However, instead of using a system that defines a global polynomial, we let the encryption algo-rithm define several “local” revocation equations. Our techniques have two major components:

First, we use a “two equation” method for decryption. A ciphertext will be encrypted suchthat a certain set S = ID1, . . . , IDr will be revoked from decrypting it. (For our secondsystem, we think of identities IDi as being indices between 1 and n, where n is the numberof users in the system.) Since the ciphertext consists of O(r) group elements, there will bea ciphertext component for each IDi. Intuitively, when decrypting, a user ID will apply hissecret key to each component. If ID 6= IDi, he will get two independent equations and be ableto extract the ith decryption share. However, if ID = IDi (i.e. he is revoked), then he willonly get two dependent equations of a two variable formula and thus be unable to extract thedecryption share. Alternatively, we can view each ciphertext component as locally defining adifferent degree one polynomial. For component i, a user ID will get two points on a freshdegree one polynomial qi(x) iff ID 6= IDi (and otherwise the user will essentially only get onepoint on the polynomial, which is not enough to solve). We can view this as a local revocationof each user to a component of the ciphertext.

One large challenge of our “local” revocation approach is that we need to make sure thatmultiple users cannot collude to decrypt the message. For example, if there is a ciphertext thatrevokes S = ID1, ID2, these users might try to decrypt by letting user ID2 get the first shareand user ID1 obtain the second share. To prevent this attack, our key shares are randomizedor “personalized” to each user to prevent combination of decryption shares. To achieve this,we devise a new technique for achieving collusion resilience using novel cancelation techniquesbased on the power of a bilinear map.

Our first (simpler) system clearly demonstrates our techniques and is shown to be selec-tively secure under a new non-interactive assumption that we call the decisional q-Multi Ex-ponent Bilinear Diffie-Hellman (q-MEBDH) assumption. We formally define this assumptionin Appendix A.2. We show the assumption to hold in the generic bilinear group model in Ap-pendix B.13. We prove security in the standard static model, showing that a ciphertext that

2To revoke less than r users, they simply revoke some “dummy” users.3One might wonder if the security proof of our assumption in the generic group model suggests the need for

2

revokes up to r users is secure if the decisional r-MEBDH assumption holds.Our second system combines the techniques of our first system with the recent dual system

encryption technique of Waters [45]. This technique was used to give a fully secure IBE systemunder the d-BDH and decisional Linear Assumptions which we will adapt to form our revocationsystem. We prove our system to be adaptively secure in the standard model under the well-established d-BDH and decisional Linear assumptions. The clear advantage of this system overour first system is its adaptive security and reliance on simpler, more standard assumptions. Itsonly (relative) disadvantage is that the constant public and private key sizes are slightly higherthan in our first system.

In a dual system, keys and ciphertext can take on two forms: they can either be normal (asused in the real system) or semi-functional. Security for dual systems is proved using a sequenceof indistinguishable games, where the ciphertext and keys are changed to be semi-functionalone by one. In the intermediate games where the keys switch to semi-functional, the simulatoris prepared to create a semi-functional key for any identity and a challenge ciphertext for anyallowed subset of revoked identities. This may seem problematic, since the simulator might tryto test semi-functionality of the key in question for itself by creating a semi-functional challengeciphertext where that user is not revoked. We will avoid this issue by making sure the simulatorcan only form the semi-functional ciphertext properly when the key in question is for a revokeduser. This is similar to the technique used in the Broadcast Encryption scheme in [45] whichwas proven to be adaptively secure, but this system had key sizes which were linear in thenumber of users while our system achieves constant key sizes.

We believe that our technique will be of use in other cryptographic applications, as well.Recently, Waters [45] applied the revocation techniques of a prior version of this paper toconstruct new fully secure HIBE schemes based on simple assumptions, and fully secure IBEschemes with very short public parameters.

1.1 Related Work

Fiat and Naor [20] first introduced the problem of broadcast encryption. In their system theyproposed a scheme that is secure against a collusion of t users, where the ciphertext size wasO(t log2 t log n). This system and other following work [41, 42, 43, 30, 21, 22], used a combina-torial approach. For this type of approach, there is an inherent tradeoff between the efficiencyof the system and the number, t, of colluders that the system is resistant to. An attacker in thesystem that compromises more than t users can compromise the security of the scheme.

For systems without a bound on the number of revoked users at setup, there have beentwo general classes of revocation broadcast schemes. The first stateless tree-based revocationschemes were proposed by Naor, Naor and Lopspeich [33] where they introduced the “subsetcover” framework. In their framework users were assigned to leaves in a tree and belonged todifferent subsets. An encryptor encrypts to the minimum number of subsets that covers allthe non-revoked users and none of the revoked ones. The primary challenge is to structure thesubsets so that they are expressive enough to allow for small ciphertext overhead, yet don’timpose large private key overhead on the user. The NNL paper proposed two systems withciphertext sizes of O(r lg n) and O(2r) and private key sizes of O(lg n) and O(lg2 n) respectively.These methods were subsequently improved upon in future works by Halevy and Shamir [27]and by Goodrich, Sun, and Tamassia [24], where the GST system gives O(r) size ciphertextsand O(lg n) size private keys. Dodis and Fazio [19] show how to make the NNL and Halevy andShamir systems public key by employing hierarchical identity-based encryption methods. It is

much larger security parameters, thereby negating the efficiency advantages claimed here; indeed we show thatthis is not the case. See Section B.3 and Appendix B.1 for more details.

3

unknown how to realize the more efficient GST scheme in the public key setting.The second class of methods is based on polynomial interpolation in the exponents of group

elements and was given by Kurosawa and Desmedt [31] and Naor and Pinkas [34]. In thesesystems the setup algorithm picks a polynomial of degree d, where d is the maximum numberof users that can be revoked. Both the public key and ciphertexts are of size d. Yoo et. al. [47]observe that lg(n) parallel systems can be used to handle n users with O(r) size private keys,O(n) size public keys and O(r) size ciphertexts.

We note that there are a class of stateful encryption schemes known as logical-tree-hierarchyschemes independently discovered by Wallner et al. [44] and Wong [46], which are improved infurther work [13, 16, 39]. The drawback of stateful schemes is that if a receiver misses an updateit won’t be able to decrypt future messages (or this must be corrected somehow). Even so, ourstateless solution actually provides a more efficient way to revoke users in the stateful settingthan previous schemes.

We remark that two equation techniques are somewhat reminiscent of those used for knowl-edge extraction in discrete log proof of knowledge settings [38]. In addition, different types oftwo equation techniques have been applied in ecash applications (see e.g., [12] and the referencestherein).

We also note that [10] proposed the first non-trivial fully collusion resistant broadcast en-cryption scheme; broadcasts to a set of uncompromised users remain secure no matter how manyother keys the adversary obtained. (In contrast, our approach and those referenced above wouldlead to very long ciphertexts if the number of revoked users were very large.) Their schemeis proven selectively secure and allows for broadcasts to an arbitrary set of users where theciphertexts and private key material are both a constant number of group elements, however,the public key material is linear in the number of users in the system and, moreover, the publickey must be accessible by any decryptor in the system. This makes their solution unusable forsmall devices that cannot store the public key. In comparison, our solution is appropriate forapplications, like group encryption, where we expect relatively few devices will be compromisedand revoked from the encryption and where we need very small storage.

Delerablee, Paillier and Pointcheval [18] use a type of inversion technique to achieve a systemwith small private keys, but public parameters still require a linear number of group elementsin the number of users.4 Unlike our system, the published public parameters will establish anupper bound on the number of users that may be encrypted to (without “appending” to thepublic key), although private keys need not be modified. In addition, they obtain security froma non-standard assumption with a number of terms that grows polynomially.

Gentry and Waters [23] recently obtained an adaptively secure broadcast encryption system,but it has large keys (growing linearly with n, the number of users in the system) and is provensecure from a non-standard assumption which depends on n. To obtain adaptive security,they use a “two-key” transformation from semi-statically secure systems to adaptively securesystems. (Semi-static security is a sort of middle-ground between static and adaptive security.)This technique does not seem to extend to revocation systems.

Attribute-Based Encryption was introduced by Sahai and Waters [37]; subsequent works [25,6, 17, 35, 26] have proposed ABE systems with different properties. Different authors [40, 32,3, 11, 1, 4] have considered similar problems without considering collusion resistance.

4The authors additionally describe a secret key version of the scheme where the broadcaster is the same asthe authority. In this case the trusted broadcaster can contain a short secret for encryption (e.g., the seed usedfor system setup).

4

Key Sizes. We stress that, as summarized above, all previous public key revocation schemesrequired5 either (1) larger private key size by at least a factor of log n, where n is the numberof users, or (2) much larger public parameter size, by a factor of n.

1.2 Organization

The rest of the paper is organized as follows. In Section 2 we provide the relevant definitions forrevocation systems. We then give the construction of our simple revocation system in Section 3and our second system in Section 4. We prove security of our system in Section 5. Finally, weshow how to realize a non-monotonic Attribute-Based Encryption system with small privatekey sizes in Section 6.

2 Background

We begin by providing a security definition for a revocation system, in the identity-based frame-work. We use definitions that are similar, for example, to the definitions for broadcast encryptionused by Boneh, Gentry, and Waters [10]; however we adapt our definition to the Identity-Basedsetting. Later, we state our complexity assumptions.

2.1 Revocation Systems

A revocation encryption system is made up of three randomized algorithms: For simplicity ofnotation, we assume an implicit security parameter of λ.

Setup. An authority will run the setup algorithm. The algorithm outputs a public key PK andmaster secret key MSK.

KeyGen(MSK, ID). The key generation algorithm takes in the master secret key MSK andan identity, ID. It generates a private key SKID for the identity.

Encrypt(S,PK,M). The encryption algorithm takes as input a revocation set S of identitiesalong with the public key and a message M to encrypt. It outputs a ciphertext CT suchthat any user with a key for an identity ID /∈ S can decrypt.

Decrypt(S,CT, ID, DID) The decryption algorithm takes as input a ciphertext CT that wasgenerated for the revocation set S, as well as an identity ID and a private key for it. IfID /∈ S the algorithm will be able to decrypt and recover the message M encrypted in theciphertext.

We now define (chosen plaintext) security of a revocation encryption system. Security isdefined using the following “Revocation Game” between an attack algorithm A and a challenger.

Setup. The challenger runs Setup to obtain a public key PK and master secret key MSK.It gives A the public key PK.

Key Query Phase A adaptively issues private key queries for identities ID. The chal-lenger gives A the corresponding decryption keys dID.

5We also stress that this is an “apples to apples” comparison, since in all these public-key schemes, theunderlying group size would be comparable for a given security level (or favor our setting of elliptic curvegroups).

5

Challenge. The attacker gives the challenger two messages M0,M1 and a set S of revokedidentities. S must include all identities that were queried. Next, the challengerpicks a random b ∈ 0, 1. The challenger runs algorithm Encrypt to obtain CT R←Encrypt(S, PK,Mb). It then gives CT to algorithm A.

Guess. Algorithm A outputs its guess b′ ∈ 0, 1 for b and wins the game if b = b′.

Definition 1. We say that a revocation system is (chosen-plaintext) secure if, for all revocationssets S of size polynomial in the security parameter, no polynomial-time adversary can win the“Revocation Game” (defined above) with non-negligible advantage over 1/2.

Our definition reflects the scenario where all users in the revoked set S get together andcollude (this is because the adversary can get all of the private keys for the revoked set). Wenote that selective (also called static) security is defined similarly, except that the revoked setS must be declared by the adversary before it sees the public parameters.

Chosen-Ciphertext Security. We will also consider chosen-ciphertext (CCA) security, wherethe adversary can also issue decryption queries for ciphertexts that it constructs (as long as thechallenge ciphertexts are not equal to the challenge ciphertext). The game is identical to thegame above, except decryption queries (for arbitrary revocation sets) are allowed. Our mainconstruction will be chosen-plaintext secure; however it can be made CCA-secure using thetechniques of Cannetti, Halevi, and Katz [15].

3 Our Simple Revocation System

We now present our simpler revocation system. Our system has the following features: bothpublic and private keys are of size independent of the number of users (i.e. only a constantnumber of group elements6); the ciphertext only contains O(r) group elements, where r is thenumber of revoked users.

Intuition Our construction uses a novel application of a secret sharing in the exponent.Suppose an encryption algorithm needs to create an encryption with a revocation set S =ID1, . . . , IDr of r identities. The algorithm will create an exponent s ∈ Zp and split it into rrandom shares s1, . . . , sr such that

∑si = s. It will then create a ciphertext such that any user

key with ID = IDi will not be able to incorporate the i − th share and thus not decrypt themessage.

Our approach presents us with two challenges. First, we need to make sure that a user withrevoked identity ID = IDi cannot do anything useful with share i. Second, we need to worryabout collusion attacks between multiple revoked users. Suppose a user with ID = IDi and auser with ID = IDj collude to attack a ciphertext. The attack we need to worry about is whereuser j processes ciphertext share i, while user i processes share j, and then they combine theirresults.

The first problem is addressed by the method of decryption. For each share, the ciphertextwill have two components. A user with ID 6= IDi can use these two components to obtain twolinearly independent equations (in the exponent) involving the share si ( and another variable),which he will use to solve for the share si. However, if ID = IDi he will get two linearlydependent equations and not be able to solve the system. We remark that these techniques aresomewhat reminiscent of those used for knowledge extraction in discrete log proof of knowledge

6Indeed, since we are using elliptic curves of prime order, these elements can be quite short.

6

settings [38]. In addition, different types of two equation techniques have been applied in ecashapplications (see e.g., [12] and the references therein).

To address the second challenge, we randomize each user’s private key by an exponent tsuch that in decryption each user recovers shares t ·si in the exponent. Thus, we disallow usefulcollusions in a similar manner to some Identity-Based [14, 8] and Attribute-Based [37, 25, 6]encryption systems. Our construction follows.

3.1 Simple Construction

In the description of our construction we will use a bilinear group G of prime order p. Wewill assume that identities are taken from the set Zp; in practice, of course, we can perform acollision resistant hash from identity strings to Zp. We now give our construction as a set offour algorithms.

Setup The setup algorithm chooses a group G of prime order p. It then picks random gener-ators g, h ∈ G and picks random exponents α, b ∈ Zp. The public key is published as:

PK = (g, gb, gb2, hb, e(g, g)α).

The authority keeps α, b as secrets.

Key Gen(MSK, ID) The key generation algorithm first chooses a random t ∈ Zp and pub-lishes the private key as:

D0 = gαgb2t, D1 = (gb·IDh)t, D2 = g−t.

Encrypt(PK,M, S) The encryption algorithm first picks a random s ∈ Zp. Then it letsr = |S| and chooses random s1, . . . , sr such that s = s1 + . . . + sr. We let IDi denote the i-thidentity in S. It then creates the ciphertext CT as:

C ′ = e(g, g)αsM,C0 = gs

together with, for each i = 1, 2, . . . , r:(Ci,1 = gb·si , Ci,2 =

(gb

2·IDihb)si)

Decrypt(S,CT, ID, DID) If there exists ID′ ∈ S such that ID = ID′ then the algorithmaborts; otherwise, the decryption algorithm computes:

e(C0, D0)

e(D1,

∏ri=1C

1/(ID−IDi)i,1

)· e(D2,

∏ri=1C

1/(ID−IDi)i,2

)which gives us e(g, g)αs; this can immediately be used to recover the message M from C ′. Notethat this computation is only defined if ∀i ID 6= IDi.

We can verify the correctness of the decryption computation.

7

e(C0, D0)/

(e

(D1,

r∏i=1

C1/(ID−IDi)i,1

)· e

(D2,

r∏i=1

C1/(ID−IDi)i,2

))

= e(C0, D0)/

(r∏i=1

(e (D1, Ci,1) · e (D2, Ci,2))ID−IDi

)

= e(gs, gαgb2t)/

(r∏i=1

(e(

(gbIDh)t, gbsi)· e(g−t, (gb

2IDihb)si))ID−IDi

)

= e(g, g)sαe(g, g)sb2t)/

(r∏i=1

e(g, g)sib2t)

)= e(g, g)sα

We obtain the following theorem. (The proof appears in Appendix B.)

Theorem 2. Suppose the decisional q-MEBDH assumption holds. Then no poly-time adversarycan selectively break our system with a ciphertext encrypted to r∗ ≤ q revoked users.

4 Our Second Revocation System

This system retains the desirable properties of our simpler system: public and private keysstill require only a constant number of group elements, and the ciphertext requires O(r) groupelements, where r is the number of revoked users. The primary advantage of this system is thatwe obtain adaptive security from simple assumptions, namely the decisional Linear assumptionand d−BDH.

Intuition We combine the techniques of our simple construction with the dual system en-cryption technique of Waters [45]. Essentially, we append a version of our simple constructiononto the core IBE construction of Waters.

4.1 Construction

We will again use a bilinear group G of order p and assume that identities are in the set1, . . . , n, where n is the number of users in the system.

Setup(n) The setup algorithm chooses a bilinear group G of prime order p. It then choosesrandom generators g, v, v1, v2, w, h ∈ G and random exponents a1, a2, b, α ∈ Zp. It lets τ1 =vva1

1 , τ2 = vva22 . The public key is published as:

PK = (n, gb, ga1 , ga2 , gba1 , gba2 , τ1, τ2, τb1 , τ

b2 , w, h, e(g, g)αa1b).

The master secret key is:MSK = (g, gα, gαa1 , v, v1, v2, PK).

We note that to add more users to the system (increase n), it is not necessary to change anyother public parameters. We only assume that n is polynomial. We specify that all the identitiesin the system are indices between 1 and n (note that this makes the ID-space polynomial size).

8

KeyGen(MSK, ID) The key generation algorithm chooses random exponents d1, d2, z1, z2 ∈Zp and sets d = d1 + d2. The private key DID is:

D1 = gαa1vd, D2 = g−αvd1gz1 , D3 = (gb)−z1 , D4 = vd2g

z2 , D5 = (gb)−z2 , D6 = gd2b,

D7 = gd1 ,K = (wIDh)d1 .

Encrypt(PK,M,S) The encryption algorithm chooses random exponents s1, s2, t1, . . . , trand sets s = s1 + s2, t = t1 + · · · + tr (where r = |S|, the number of revoked users). Welet IDi denote the i-th identity in S. The ciphertext CT is constructed as:

C0 = M(e(g, g)αa1b

)s2, C1 = (gb)s, C2 = (gba1)s1 , C3 = (ga1)s1 ,

C4 = (gba2)s2 , C5 = (ga2)s2 , C6 = τ s11 τ s22 , C7 = (τ b1)s1(τ b2)s2w−t,

along with, for each i = 1, 2, . . . , r:

Ci,1 = gti , Ci,2 = (wIDih)ti .

Decrypt(S,CT, ID,DID) If ID = IDi for some IDi ∈ S, then the algorithm aborts. Other-wise, the decryption algorithm begins by computing:

A1 = e(C1, D1)e(C2, D2)e(C3, D3)e(C4, D4)e(C5, D5)= e(g, g)αa1bs2e(v, g)bsde(v1, g)a1bs1de(v2, g)a2bs2d.

Next, the algorithm computes:

A2 = e(C6, D6)e(C7, D7)= e(v, g)bsde(v1, g)a1bs1de(v2, g)a2bs2de(g, w)−d1t.

Now,A3 = A1/A2 = e(g, g)αa1bs2e(g, w)d1t,

so if we separately compute e(g, w)d1t, we can cancel this term and compute the blinding factorand hence recover the message. We compute e(g, w)d1t as follows:

A4 =r∏i=1

(e(Ci,1,K)e(Ci,2, D7)

) 1ID−IDi

=r∏i=1

(e(g, w)d1ti(ID−IDi)

) 1ID−IDi

=r∏i=1

e(g, w)d1ti = e(g, w)d1t.

Thus, the message can be computed as:

C0/(A3/A4) = M.

9

Identity-Based Version We can remove the parameter n and the restriction that identitiesare between 1 and n and allow identities to be in Zp. The resulting construction is selectivelysecure, but can also be seen as adaptively secure by a complexity leveraging argument, whereone accepts degradation of security depending on the size of the identity space. Essentially, ourhybrid proof of security requires the simulator to guess the identity of a single key query whenit is making the public parameters. When the identity space is polynomial (e.g. 1 to n), thiscan be correctly guessed with non-negligible probability. When the identity space is exponential(e.g. Zp), we can achieve selective security by removing the guess (now the simulator knows thequeried identities before it has to provide the public parameters) or retain adaptive security byaccepting the exponentially small success probability.

5 Security

We will prove the following theorem.

Theorem 3. If the decisional Linear and decisional BDH assumptions hold, then our revocationsystem above is adaptively secure.

To prove this, we first define semi-functional keys and ciphertexts. These are not usedin the real system, but they will be used in our proof of security. These objects have thefollowing functionality: a semi-functional key can decrypt a normal ciphertext and a normalkey can decrypt a semi-functional ciphertext. However, a semi-functional key cannot decrypt asemi-functional ciphertext. We define these as in the Waters IBE system:

Semi-Functional Ciphertexts We generate a semi-functional ciphertext by first runningthe encryption algorithm to produce a normal ciphertext for message M and set S:

C ′0, C′1, C

′2, C

′3, C

′4, C

′5, C

′6, C

′7, C

′i,1, C

′i,2∀i ∈ S.

Then we set C1 = C ′1, C2 = C ′2, C3 = C ′3, Ci,1 = C ′i,1, Ci,2 = C ′i,2∀i ∈ S (these values are leftunchanged). We choose a random x ∈ Zp, and set the rest of the ciphertext as:

C4 = C ′4 · gba2x, C5 = C ′5 · ga2x, C6 = C ′6 · va2x2 , C7 = C ′7 · v

a2bx2 .

Semi-Functional Keys We generate a semi-functional key by first running the key generationalgorithm to produce a normal private key for identity ID:

D′1, D′2, D

′3, D

′4, D

′5, D

′6, D

′7,K

′.

Then we set D3 = D′3, D5 = D′5, D6 = D′6, D7 = D′7,K = K ′ (these values are left unchanged).We choose a random γ ∈ Zp. We set the rest of the key as:

D1 = D′1 · g−a1a2γ , D2 = D′2 · ga2γ , D4 = D′4 · ga1γ .

We will prove selective security of our system under the decisional Linear and d-BDH as-sumptions through a hybrid argument. We use the following sequence of games.

GameReal: This denotes the real security game. We let GameRealAdvA denote the advantageof an algorithm A in the real security game.

Game0: This is the same as GameReal, except that the ciphertext given to the attacker issemi-functional.

10

Gamek: In this game, the ciphertext is semi-functional, and the keys given out for the firstk key queries are semi-functional, while the rest of the keys are normal. For an adversary thatsubmits a revocation set S of size r, we will let k range from 0 to r. Note that in Gamer, theciphertext and all the keys are semi-functional.

GameFinal: This is the same as Gamer, except that the ciphertext is a semi-functional en-cryption of a random message instead of Mb.

We show these games are indistinguishable in the following lemmas (the proofs can be foundin Appendix C).

Lemma 4. Suppose there exists an algorithm A such that GameRealAdvA −Game0AdvA = ε.Then we can build an algorithm B with advantage ε in the decision Linear game.

Lemma 5. Suppose there exists an algorithm A that submits a revoked set of r users andGamek−1AdvA −GamekAdvA = ε for some k with 1 ≤ k ≤ r. Then we can build an algorithmB with advantage ε

n in the decision Linear game.

Lemma 6. Suppose there exists an algorithm A that submits a revoked set of r users andGamerAdvA−GameFinalAdvA = ε. Then we can build an algorithm B with advantage ε in thedecision BDH game.

6 Attribute-Based Encryption

Our simple revocation scheme also gives rise to a new efficient Attribute-Based Encryption(ABE) scheme that allows access policies to be expressed in terms of any access formula overattributes. Until the recent work of Ostrovsky, Sahai, and Waters [35], all previous ABE schemeswere limited to expressing only monotonic access structures. Our new ABE scheme, however,achieves significantly superior parameters in terms of key size. In the random oracle model,our new scheme will have the following key sizes: public parameters will be only O(1) groupelements, and private keys for access structures involving t leaf attributes will be of size O(t).This is a significant improvement over previous work, which needed public parameters consistingof O(n) group elements, and private keys consisting of O(t log(n)) group elements, where n is abound on the maximum number of attributes that any ciphertext could have. In our scheme,we do not need any such bound.

For brevity, we only describe at a high level what makes our revocation scheme so amenableto incorporation into ABE schemes. The essential property of our revocation scheme is thatsuccessful decryption (if a non-revoked user tries to decrypt) allows the user to recover e(g, g)αs,where α is a system parameter, while s is a random choice made at the time of encryption.This idea can be applied with α replaced by a linear secret share of α that corresponds to anegated leaf node in an access formula. By the properties of linear secret sharing schemes, andthe randomization provided by s, this allows for a secure ABE system to be built using ourrevocation scheme as a building block.

Taken altogether, our revocation scheme gives a new and much more efficient instantiationof the OSW framework for non-monotonic ABE. We now describe our construction. We referthe reader to [35] for definitions. Our proofs appear in Appendix D.

6.1 Description of ABE construction

We follow the notation of [35] here, and describe our construction in the random oracle modelto highlight the most efficient form of our construction.

11

Setup. The setup algorithm chooses generators g, h and picks random exponents α′, α′′, b ∈Zp. We define α = α′ · α′′, g1 = gα

′and g2 = gα

′′.) The public parameters are published as the

following, where H is a random oracle that outputs elements of the elliptic curve group:

PK = (g, gb, gb2, hb, e(g, g)α, H(·)).

The authority keeps (α′, α′′, b) as the master key MK.

Encryption (M,γ,PK). To encrypt a message M ∈ GT under a set of d attributes γ ⊂ Z∗p,choose a random value s ∈ Zp, and choose a random set of d values sxx∈γ such that s =∑

x∈γ sx. Output the ciphertext as

E = (γ,E(1) = Me(g, g)α·s, E(2) = gs, E(3)x = H(x)sx∈γ ,

E(4)x = gb·sxx∈γ , E(5)

x = gb2·sxxhb·sxx∈γ)

Key Generation (A,MK,PK). This algorithm outputs a key that enables the user to decryptan encrypted message only if the attributes of that ciphertext satisfy the access structure A. Werequire that the access structure A is NM(A) for some monotonic access structure A, (see [35]for a definition of the NM(·) operator) over a set P of attributes, associated with a linear secret-sharing scheme Π. First, we apply the linear secret-sharing mechanism Π to obtain shares λiof the secret α′. We denote the party corresponding to the share λi as xi ∈ P, where xi is theattribute underlying xi. Note that xi can be primed (negated) or unprimed (non negated). Foreach i, we also choose a random value ri ∈ Zp.

The private key D will consist of the following group elements: For every i such that xi isnot primed (i.e., is a non-negated attribute), we have

Di = (D(1)i = gλi2 ·H(xi)ri , D

(2)i = gri)

For every i such that xi is primed (i.e., is a negated attribute), we have

Di = (D(3)i = gλi2 g

b2ri , D(4)i = gribxihri , D

(5)i = g−ri)

The key D consists of Di for all shares i.

Decryption (E,D). Given a ciphertext E and a decryption key D, the following procedureis executed: (All notation here is taken from the above descriptions of E and D, unless thenotation is introduced below.) First, the key holder checks if γ ∈ A (we assume that this canbe checked efficiently). If not, the output is ⊥. If γ ∈ A, then we recall that A = NM(A),where A is an access structure, over a set of parties P, for a linear secret sharing-scheme Π.Denote γ′ = N(γ) ∈ A, and let I = i : xi ∈ γ′. Since γ′ is authorized, an efficient procedureassociated with the linear secret-sharing scheme yields a set of coefficients Ω = ωii∈I suchthat

∑i∈I ωiλi = α. (Note, however, that these λi are not known to the decryption procedure,

so neither is α.)For every positive (non negated) attribute xi ∈ γ′ (so xi ∈ γ), the decryption procedure

computes the following:

Zi = e(D

(1)i , E(2)

)/e(D

(2)i , E

(3)i

)= e

(gλi2 ·H(xi)ri , gs

)/e (gri , H(x)s)

= e (g, g2)sλi

12

For every negated attribute xi ∈ γ′ (so xi /∈ γ), the decryption procedure computes thefollowing, following a simple analogy to the basic revocation scheme:

Zi =e(D

(3)i , E(2)

)e

(D

(4)i ,∏x∈γ

(E

(4)x

)1/(xi−x))· e(D

(5)i ,∏x∈γ

(E

(5)x

)1/(xi−x))

= e (g, g2)sλi

Finally, the decryption is obtained by computing

E(1)∏i∈I Z

ωii

=Me(g, g)sα

e(g, g2)sα′= M

Note on Efficiency and Use of Random Oracle Model. We note that encryption re-quires only a single pairing, which may be pre-computed, regardless of the number of attributesassociated with a ciphertext. We also note that decryption requires two or three pairings pershare utilized in decryption, depending on whether the share corresponds to a non-negatedattribute or a negated attribute, respectively.

We also note that we use a random oracle for description simplicity and efficiency of thesystem. We can, alternatively, realize our hash function concretely as in other previous ABEsystems [37, 25, 35].

References

[1] Sattam S. Al-Riyami, John Malone-Lee, and Nigel P. Smart. Escrow-free encryption sup-porting cryptographic workflow. Int. J. Inf. Sec., 5(4):217–229, 2006.

[2] H. Anton and C. Rorres. Elementary Linear Algebra, 9th Edition. 2005.

[3] Walid Bagga, Refik Molva, and Stefano Crosta. Policy-based encryption schemes frombilinear pairings. In ASIACCS, page 368, 2006.

[4] Manuel Barbosa and Pooya Farshim. Secure cryptographic workflow in the standard model.In INDOCRYPT, pages 379–393, 2006.

[5] A. Beimel. Secure Schemes for Secret Sharing and Key Distribution. PhD thesis, IsraelInstitute of Technology, Technion, Haifa, Israel, 1996.

[6] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based en-cryption. In Proceedings of the IEEE Symposium on Security and Privacy, 2007.

[7] D. Boneh and M. Franklin. Identity Based Encryption from the Weil Pairing. In Advancesin Cryptology – CRYPTO, volume 2139 of LNCS, pages 213–229. Springer, 2001.

[8] Dan Boneh and Xavier Boyen. Efficient Selective-ID Secure Identity Based EncryptionWithout Random Oracles. In Advances in Cryptology – Eurocrypt, volume 3027 of LNCS,pages 223–238. Springer, 2004.

[9] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption withconstant size ciphertext. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of LectureNotes in Computer Science, pages 440–456. Springer, 2005.

13

[10] Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast encryptionwith short ciphertexts and private keys. In CRYPTO, pages 258–275, 2005.

[11] Robert W. Bradshaw, Jason E. Holt, and Kent E. Seamons. Concealing complex policieswith hidden credentials. In ACM Conference on Computer and Communications Security,pages 146–157, 2004.

[12] Jan Camenisch, Susan Hohenberger, and Anna Lysyanskaya. Compact e-cash. In EURO-CRYPT, pages 302–321, 2005.

[13] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas. Multicast security:A taxonomy and some efficient constructions. In Proc. IEEE INFOCOM 1999, volume 2,pages 708–716. IEEE, 1999.

[14] R. Canetti, S. Halevi, and J. Katz. A Forward-Secure Public-Key Encryption Scheme. InAdvances in Cryptology – Eurocrypt, volume 2656 of LNCS. Springer, 2003.

[15] R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryp-tion. In Proc. of Eurocrypt 2004, volume 3027 of LNCS, pages 207–222. Springer-Verlag,2004.

[16] R. Canetti, T. Malkin, and K. Nissim. Efficient communication-storage tradeoffs for mul-ticast encryption. In Proc. of Eurocrypt 1999, pages 459–474. Springer-Verlag, 1999.

[17] Melissa Chase. Multi-authority attribute-based encryption. In The Fourth Theory of Cryp-tography Conference (TCC 2007), 2007.

[18] Cecile Delerablee, Pascal Paillier, and David Pointcheval. Fully collusion secure dynamicbroadcast encryption with constant-size ciphertexts or decryption keys. In Pairing, pages39–59, 2007.

[19] Yevgeniy Dodis and Nelly Fazio. Public key broadcast encryption for stateless receivers.In Digital Rights Management Workshop, pages 61–80, 2002.

[20] A. Fiat and M. Naor. Broadcast encryption. In Proc. of Crypto 1993, volume 773 of LNCS,pages 480–491. Springer-Verlag, 1993.

[21] E. Gafni, J. Staddon, and Y.L. Yin. Efficient methods for integrating traceability andbroadcast encryption. In Proc. of Crypto 1999, volume 1666 of LNCS, pages 372–387.Springer-Verlag, 1999.

[22] J. Garay, J. Staddon, and A. Wool. Long-lived broadcast encryption. In Proc. of Crypto2000, volume 1880 of LNCS, pages 333–352. Springer-Verlag, 2000.

[23] C. Gentry and B. Waters. Adaptive security in broadcast encryption systems. In Advancesin Cryptology - EUROCRYPT 2009, volume 5479 of LNCS, pages 171–188. Springer-Verlag,2009.

[24] M.T. Goodrich, J.Z. Sun, and R. Tamassia. Efficient tree-based revocation in groups oflow-state devices. In Proc. of Crypto 2004, volume 3152 of LNCS, pages 511–527. Springer-Verlag, 2004.

[25] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute Based Encryption for Fine-Grained Access Conrol of Encrypted Data. In ACM conference on Computer and Commu-nications Security (ACM CCS), 2006.

14

[26] Vipul Goyal, Abishek Jain, Omkant Pandey, and Amit Sahai. Bounded ciphertext policyattribute-based encryption. In ICALP, 2008.

[27] D. Halevy and A. Shamir. The LSD Broadcast Encryption Scheme. In Advances in Cryp-tology – CRYPTO, volume 2442 of LNCS, pages 47–60. Springer, 2002.

[28] A. Joux. A one round protocol for tripartite Diffie-Hellman. In Proc. of ANTS IV, volume1838 of LNCS, pages 385–94. Springer-Verlag, 2000.

[29] A. Joux and K. Nguyen. Separating decision Diffie-Hellman from Diffie-Hellman in crypto-graphic groups. J. of Cryptology, 16(4):239–247, 2003. Early version in Cryptology ePrintArchive, Report 2001/003.

[30] Ravi Kumar, Sridhar Rajagopalan, and Amit Sahai. Coding constructions for blacklistingproblems without computational assumptions. In CRYPTO, pages 609–623, 1999.

[31] Kaoru Kurosawa and Yvo Desmedt. Optimum traitor tracing and asymmetric schemes. InEUROCRYPT, pages 145–157, 1998.

[32] Gerome Miklau and Dan Suciu. Controlling access to published data using cryptography.In VLDB, pages 898–909, 2003.

[33] D. Naor, M. Naor, and J. Lotspiech. Revocation and tracing schemes for stateless receivers.In Proc. of Crypto 2001, volume 2139 of LNCS, pages 41–62. Springer-Verlag, 2001.

[34] M. Naor and B. Pinkas. Efficient trace and revoke schemes. In Proc. of Financial cryptog-raphy 2000, volume 1962 of LNCS, pages 1–20. Springer-Verlag, 2000.

[35] Rafail Ostrovksy, Amit Sahai, and Brent Waters. Attribute Based Encryption with Non-Monotonic Access Structures. In ACM conference on Computer and CommunicationsSecurity (ACM CCS), 2007.

[36] V.V. Prasolov. Problems and Theorems in Linear Algebra. American Mathematical Society,1994.

[37] A. Sahai and B. Waters. Fuzzy Identity Based Encryption. In Advances in Cryptology –Eurocrypt, volume 3494 of LNCS, pages 457–473. Springer, 2005.

[38] Claus-Peter Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4(3),1991.

[39] A.T. Sherman and D.A. McGrew. Key establishment in large dynamic groups using one-way function trees. IEEE Trans. Softw. Eng., 29(5):444–458, 2003.

[40] Nigel P. Smart. Access control using pairing based cryptography. In CT-RSA, pages111–121, 2003.

[41] D.R. Stinson. On some methods for unconditionally secure key distribution and broadcastencryption. Des. Codes Cryptography, 12(3):215–243, 1997.

[42] D.R. Stinson and T.V. Trung. Some new results on key distribution patterns and broadcastencryption. Des. Codes Cryptography, 14(3):261–279, 1998.

[43] D.R. Stinson and R. Wei. Combinatorial properties and constructions of traceabilityschemes and frameproof codes. SIAM J. Discret. Math., 11(1):41–53, 1998.

15

[44] D.M. Wallner, E.J. Harder, and R.C. Agee. Key management for multicast: Issues andarchitectures. IETF draft wallner-key, 1997.

[45] B. Waters. Dual system encryption: Realizing fully secure ibe and hibe under simpleassumptions. In Proc. of Crypto 2009, volume 5677 of LNCS, pages 619–636. Springer-Verlag, 2009.

[46] C.K. Wong, M. Gouda, and S. Lam. Secure group communications using key graphs. InProc. of SIGCOMM 1998, 1998.

[47] E. Yoo, N. Jho, J. Cheon, and M. Kim. Efficient broadcast encryption using multipleinterpolation methods. In Proc. of ICISC 2004, volume 3506 of LNCS, pages 87–103.Springer-Verlag, 2005.

A Background on Bilinear Maps and our Complexity Assump-tions

A.1 Bilinear Maps

We briefly review the necessary facts about bilinear maps and bilinear map groups. We use thefollowing standard notation [28, 29, 7]:

1. G and GT are two (multiplicative) cyclic groups of prime order p;2. g is a generator of G.3. e : G×G→ GT is a bilinear map.

Let G and GT be two groups as above. A bilinear map is a map e : G×G→ GT with thefollowing properties:

1. Bilinear: for all u, v ∈ G and a, b ∈ Z, we have e(ua, vb) = e(u, v)ab.2. Non-degenerate: e(g, g) 6= 1.

We say that G is a bilinear group if the group action in G can be computed efficiently andthere exists a group GT and an efficiently computable bilinear map e : G×G→ GT as above.Note that e(, ) is symmetric since e(ga, gb) = e(g, g)ab = e(gb, ga).

A.2 Complexity Assumptions

Decisional Bilinear Diffie-Hellman Assumption The decisional Bilinear Diffie-Hellmanproblem is defined as follows. We choose a group G of prime order p. We choose a randomgenerator g of G and random exponents c1, c2, c3 ∈ Zp. If the attacker is given

~y = g, gc1 , gc2 , gc3,

it must remain hard to distinguish e(g, g)c1c2c3 ∈ GT from a random element of GT .An algorithm B that outputs z ∈ 0, 1 has advantage ε in solving decisional BDH in G if∣∣∣∣Pr

[B(~y, T = e(g, g)c1c2c3

)= 0]− Pr

[B(~y, T = R

)= 0] ∣∣∣∣ ≥ ε

Definition 7. We say the decisional BDH assumption holds if no poly-time algorithm has anon-negligible advantage in solving the decisional BDH problem.

16

Decisional Linear Assumption The decisional Linear problem is defined as follows. Wechoose a group G of prime order p. We choose random generators g, f, ν of G and randomexponents c1, c2 ∈ Zp. If the attacker is given

~y = g, f, ν, gc1 , f c2 ,

it must remain hard to distinguish νc1+c2 from a random element of G.An algorithm B that outputs z ∈ 0, 1 has advantage ε in solving the decisional Linear

problem in G if ∣∣∣∣Pr[B(~y, T = νc1 + c2

)= 0]− Pr

[B(~y, T = R

)= 0] ∣∣∣∣ ≥ ε.

Definition 8. We say the decisional Linear assumption holds if no poly-time algorithm has anon-negligible advantage in solving the decisional Linear problem.

q-Decisional Multi-Exponent Bilinear Diffie-Hellman Assumption To prove the secu-rity of our simple system we use a new assumption that we call the q-decisional Multi-ExponentBilinear Diffie-Hellman assumption. Our assumption falls within a class of assumptions shownto be secure in the generic group model by Boneh, Boyen, and Goh [9]. While our assumptionis non-standard, we emphasize that it is non-interactive and thus falsifiable.

Let G be a bilinear group of prime order p. The q-MEBDH problem in G is stated as follows:A challenger picks a generator g ∈ G and random exponents s, α, a1, . . . , aq. The attacker

is then given ~y=

g, gs, e(g, g)α

∀1≤i,j≤q gai gais gaiaj gα/a2i

∀1≤i,j,k≤q,i 6=j gaiajs gαaj/a2i gαaiaj/a

2k gαa

2i /a

2j ,

it must remain hard to distinguish e(g, g)α·s ∈ GT from a random element in GT .An algorithm B that outputs z ∈ 0, 1 has advantage ε in solving decisional q-parallel

BDHE in G if ∣∣∣∣Pr[B(~y, T = e(g, g)αs

)= 0]− Pr

[B(~y, T = R

)= 0] ∣∣∣∣ ≥ ε.

Definition 9. We say that the q-decisional Multi-Exponent Bilinear Diffie-Hellman assumptionholds if no poly-time algorithm has non-negligible advantage in solving the q-MEBDH problem.

Remark. It is tempting to try to simplify our assumption using previous techniques. Forexample, we might consider choosing a single variable a and substituting all aj with aj . Unfor-tunately, this substitution gives rise to an problem that is insecure.

B Security of our Simple Revocation System

B.1 Generic Security of Multi-Exponent BDH

We briefly show that are decisional MEBDH assumption is generically secure. We use thegeneric proof template of Boneh, Boyen, and Goh [9].

17

Using the terminology from BBG we need to show that f = αs in independent of thepolynomials P and Q. We have that Q = 1, α In addition, we have

P = 1, s, ∀i,j∈[1,q] ai, ais, aiaj , α/(ai)2∪ ∀i,j,k∈[1,q],i 6=j aiajs, αaj/a

2i , αaiaj/a

2k, αa

2i /a

2j

We first note that this case at first might appear to be outside the BBG framework, sincethe polynomials are rational function (due to the terms with inverses. However, by a simplerenaming of terms we can see this is equivalent to an assumption where we use a generator uand let g = g

∏j∈[1,q] a

2j . Applying this substitution we get a set of polynomials where maximum

degree of any polynomial in the set P is 2q + 3.We need to also check that f is symbolically independent of the of any two polynomials

in P,Q. To realize f from P,Q we would need to have a term of the form αs. We note thatno such terms can be realized from the product of two polynomials p, p′ ∈ P . If we use thepolynomial s as p then no other potential p′ has α. If we use ai · s as p then no other potentialp′ has α/ai. Finally, if we use aiajs with i 6= j for p then no other potential p′ is of the formα/(aiaj) for i 6= j. Any dependence on f must have an a term of s in it, but we just eliminatedall possibilities.

It follows from the BBG framework that the assumption is then generically secure. Inparticular, for an attacker that makes at most n queries to the group oracle we have that itsadvantage is bounded by

(n+ 2(q3 + 4q2 + 3q) + 2)2 · (4q + 6)2p

In the general case where n > q3 we have that the advantage is O(n2 · q/p).

B.2 Proof of Security for Simple Revocation System

We now prove the following theorem.

Theorem 2. Suppose the decisional q-MEBDH assumption holds. Then no poly-time adversarycan selectively break our simple revocation system with a ciphertext encrypted to r∗ ≤ q revokedusers.

Suppose we have an adversary A with non-negligible advantage ε = AdvA in the selectivesecurity game against our construction. Moreover, suppose attacks our system with a ciphertextof at most q revoked users. We show how to build a simulator, B, that plays the decisionalq-MEBDH problem.

The simulator begins by receiving a q-MEDDH challenge ~X, T . The simulator then proceedsin the game as follows.

Init The adversary A declares a revocation set S∗ = ID1, . . . , IDr∗ of size r∗ ≤ q that he givesto the simulator. (If r < q the simulator will just ignore some of the terms given in ~X).

Setup The simulator now creates the public key PK and gives A the private keys for allidentities in S∗. Conceptually, it will set b as a1 + a2 + · · · ar. The simulator first chooses arandom y ∈ Zp.

18

The public key PK is published as:(g, gb =

∏1≤i≤r∗

gai , gb2

=∏

1≤i,j≤r(gai·aj ), h =

∏1≤i≤r∗

(gai)−IDigy, e(g, g)α)

We observe that the public parameters are distributed identically to the real system andthat the revocation set S∗ is reflected in the simulation’s construction of the parameter h.

Now the simulator must construct all private keys in the revocation set S. For each identityIDi the simulator will choose a random zi ∈ Zp and will (implicitly) set the randomness ti ofthe ith identity as ti = −α/a2

i + zi.Setting ti allows us to generate the private key components for two reasons. First, in the

D0 component we need to cancel out the gα term that we do not know. Since gb2

contains aterm of ga

2i raising it to the −α/a2

i will cancel this term. Second, we need to make sure thatwe can still realize the D2 component. To generate this we will have several terms of the formgαaj/a

2i , which we have for i 6= j. Yet, if i = j this generates a term gα/ai that we do not have.

However, by our setting of the h parameter a term like this will never appear.The private key for IDi is generated as follows:

D0 =

∏1≤j,k≤n

s.t. if j=k then j,k 6=i

(g−αajak/a2i )

∏1≤j,k≤n

(gajak)zi

D1 =

∏1≤j≤nj 6=i

(g−α·aj/a2i )(IDi−IDj)(g(IDi−IDj)·aj )zi

(g−α/a2i )ygyzi

D2 = gα/a2i g−zi

Remark. Note that in the above construction, for any fixed coefficient µ, by changing ti =−µα/a2

i +zi, and appropriately raising the relevant parts of the construction above to a µ factor,one can create D0 = gµα+b2ti , while keeping D1 = (gbIDih)ti , and D2 = g−ti . This observationis not relevant to this proof, but will be useful in the proof of our related ABE scheme.

Challenge The simulator receives M0,M1 and chooses random β ∈ 0, 1. The simulatorthen chooses random s′, s′1, . . . , s

′r∗ ∈ Zp such that s′ =

∑i s′i. For notational convenience let

ui = gb2IDihb, note this is computable from the public parameters, which were already set.

Conceptually, the ciphertext will be encrypted under randomness s = s+ s′ and be brokeninto shares si = ais/b+ s′i. Recall, that b =

∑j aj ; therefore,

∑si = s.

Our methodology is to split s into pieces such that we can simulate all ciphertext components.Conceptually, we will look for a “hole” in each term. We will use the fact that from thesimulator’s view the function gbIDih has no term of gai by cancelation. Therefore, if we raisethis to s · ai the simulator will have all the necessary terms. In this manner we “spread” thedifferent shares of s as s · ai/b, each into its own “slot”.

Our proof technique has two important points. First, in simulating the Ci,1 and Ci,2 compo-nents the b−1 term from the shares will cancel out. Second, in generating the Ci,2 componentswe will need elements of the form gsaiaj that we have for i 6= j. Yet, if i = j this creates anelement that we do not have. Again, by our setting of h we do not run into this case.

19

The challenge CT is created as

C ′ = Te(g, g)αs′ ·Mβ C0 = gsgs

′Ci,1 = gsai(

∏j

gaj )s′i Ci,2 =

∏1≤j≤r∗i 6=j

(gsaiaj )IDi−IDj

(gais)yus′ii

The Ci,2 equation can be understood by recalling that Ci,2 = (gbIDih)bsi and then noting thatbsi = sai + s′i.

Guess The adversary will eventually output a guess β′ of β. The simulator then outputs 0 toguesses that T = e(g, g)αs if β = β′; otherwise, it and outputs 1 to indicate that it believes Tis a random group element in GT .

When T is a tuple the simulator B gives a perfect simulation so we have that

Pr[B(~X, T = e(g, g)αs

)= 0]

=12

+ AdvA.

When T is a random group element the message Mβ is completely hidden from the adversary

and we have Pr[B(~X, T = R

)= 0]

= 12 . Therefore, B can play the decisional q-MEBDH game

with non-negligible advantage.

B.3 Remark on Security Parameters

Our system is shown to be secure under a new non-interactive assumption. Our proof, in thestandard model, shows that a ciphertext that revokes up to r users is secure if the decisionalr-MEBDH assumption holds. We remark that generically, an adversary that makes n queriesto a group oracle will have advantage O(n2r/p) (see Appendix B.1 for a group of prime orderp. Equivalent generic security to decisional Bilinear Diffie-Hellman can then be realized byincreasing the size of p by just an additive factor of lg(r) bits.

C Proof of Security for our Second Revocation System

Lemma 4. Suppose there exists an algorithm A such that GameRealAdvA −Game0AdvA = ε.Then we can build an algorithm B with advantage ε in the decision Linear game.

Proof. (This proof is essentially the same as the proof of Lemma 1 in [45], but we include it forcompleteness.) B first receives an instance of the decisional Linear problem: (G, g, f, ν, gc1 , f c2 , T ).B must decide whether T = νc1+c2 or is random. To accomplish this, B will call on A by simu-lating either GameReal or Game0. A first sends a set S = ID1, . . . , IDr to B.

Setup B chooses random exponents b, α, yv, yv1 , yv2 ∈ Zp and random group elements w, h ∈G. It then sets g = g, ga1 = f, ga2 = ν, w = w, h = h. Note that B does not know the valuesa1, a2. It also sets:

gb, gba1 = f b, gba2 = νb, v = gyv , v1 = gyv1 , v2 = gyv2 .

B also computes τ1, τ2, τ b1 , τb2 , e(g, g)αa1b = e(g, f)αb. Note that τ1 (for example) can be computed

as τ1 = vva11 = vfyv1 . B sends the public parameters to A.

Key Generation B only needs to produce normal keys for IDi for all IDi ∈ S. It can producethese through the usual key generation algorithm since it knows MSK = g, ga1 , α, v, v1, v2.

20

Challenge Ciphertext Once B has given A the public parameters and the keys for allelements of S = ID1, . . . , IDr, A sends B two messages M0,M1. B chooses a randomvalue β ∈ 0, 1 and will create a semi-functional ciphertext for Mβ, S as follows. First, Bchooses random exponents, s′1, s

′2, t1, . . . , tr, and uses the normal encryption algorithm to pro-

duce C ′0, C′1, . . . , C

′7, C

′1,1, C

′1,2, . . . , C

′r,1, C

′r,2. It leaves the terms Ci,1 = C ′i,1, Ci,2 = C ′i,2 un-

changed for i from 1 to r. The rest of the terms are set as:

C0 = C ′0 (e(gc1 , f)e(g, f c2))bα , C1 = C ′1(gc1)b, C2 = C ′2(f c2)−b, C3 = C ′3(f c2)−1, C4 = C ′4(T )b,

C5 = C ′5T,C6 = C ′6(gc1)yv(f c2)−yv1T yv2 , C7 = C ′7((gc1)yv(f c2)−yv1T yv2

)b.

If T = νc1+c2 , this will be a normal ciphertext with s1 = −c2 + s′1, s2 = c1 + c2 + s′2, ands = s1 + s2 = c1 + s′1 + s′2. If T is random, this will be a properly distributed semi-functionalciphertext. Thus, B can use A’s output to obtain the same advantage in distinguishing T =νc1+c2 from random that A has in distinguishing GameReal from Game0.

Lemma 5. Suppose there exists an algorithm A that submits a revoked set of r users andGamek−1AdvA −GamekAdvA = ε for some k with 1 ≤ k ≤ r. Then we can build an algorithmB with advantage ε

n in the decision Linear game.

Proof. B first receives an instance of the decisional Linear problem: (G, g, f, ν, gc1 , f c2 , T ). Bmust decide whether T = νc1+c2 or is random. To accomplish this, B will call on A by simulatingeither Gamek or Gamek−1. B randomly guesses a value IDk ∈ 1, 2, . . . , n for the kth key thatA will query.

Setup B chooses random exponents α, a1, a2, yv1 , yv2 , yw, yh ∈ Zp and sets the public param-eters by computing:

gb = f, ga1 , ga2 , gba1 = fa1 , gba2 = fa2 , v = ν−a1a2 , v1 = νa2gyv1 , v2 = νa1gyv2 ,

e(g, g)αa1b = e(f, g)αa1 , τ1 = vva11 , τ2 = vva2

2 , τb1 = fyv1a1 , τ b2 = fyv2a2 , w = fgyw , h = w−IDkg

yh .

We note that the distribution of these public parameters does not depend on the guess IDk,since yh is randomly chosen. With probability 1

n , B has correctly guessed the kth identity/indexthat A will query.

Key Generation To generate a normal key for IDj when j > k, the simulator B can runthe usual key generation algorithm, since it knows the MSK. To generate a semi-functionalkey for IDj when j < k, the simulator can run the semi-functional key generation algorithmdescribed above because it knows the exponents a1 and a2. For IDk, the simulator will createa key that is normal if T = νc1+c2 and is semi-functional if T is random.

When the kth query is received, if it does not equal the guessed value IDk, the simulatorquits. Otherwise, B continues. To generate the key for IDk, B starts by running the usual keygeneration algorithm to produce a normal key SKIDk : D′1, D

′2, . . . , D

′7,K

′. We let d′1, d′2, z′1, z′2

denote the random exponents that were chosen. We then set:

D1 = D′1T−a1a2 , D2 = D′2T

a2(gc1)yv1 , D3 = D′3(f c2)yv1 , D4 = D′4Ta1(gc1)yv2 ,

D5 = D′5(f c2)yv2 , D6 = D′6fc2 , D7 = D′7(gc1),K = K ′(gc1)yh .

We note that we have implicitly set z1 = z′1 − yv1c2 and z′2 − yv2c2. If T = νc1+c2 , then thisis a normal key with d1 = d′1 + c1 and d2 = d′2 + c2. We can compute K because the wIDkterms cancel: K = (wIDkw−IDkgyh)d

′1+c1 . If T is random, we can write T as T = νc1+c2gγ

and we obtain a semi-functional key with γ playing the same role as in the semi-functional keydefinition above.

21

Challenge Ciphertext Once B has given A the public parameters and the queried keys,A sends B two messages M0,M1 and the revoked set S, which must include all queried keys.B chooses a random value β ∈ 0, 1 and will create a semi-functional ciphertext for Mβ, S asfollows. First, B uses the normal encryption algorithm with randomly chosen exponents s′1, s

′2, t′

to create C ′0, C′1, . . . , C

′7. Then C0 = C ′0, C1 = C ′1, C2 = C ′2, C3 = C ′3 are left unchanged. To add

semi-functionality, B chooses a random exponent x ∈ Zp and sets:

C4 = C ′4fa2x, C5 = C ′5g

a2x, C6 = C ′6va2x2 , C7 = C ′7f

a2yv2xν−a1xywa2 .

To create C7, we have implicitly set gt = gt′νa1xa2 . We let yν denote the unknown discrete

log of ν in base g. Then, we have set t = t′ + yνa1a2x, so t is not known to B, but t′ is. Fori 6= k, 1 ≤ i ≤ r, B sets ti to be a randomly chosen value. We let t′′ denote the sum of thesevalues. Then tk is defined to be t′ − t′′ + yνa1a2x. For i 6= k, the simulator B knows the valueof ti, and so can compute:

Ci,1 = gti , Ci,2 = (wIDih)ti .

For i = k, B computes:Ck,1 = gtk = gt

′−t′′νa1a2x,

Ck,2 = (wIDkw−IDkgyh)yνa1a2x+t′−t′′ = νyha1a2xgyh(t′−t′′).

We note that the we could only form the semi-functional ciphertext because IDk ∈ S: otherwisewe would not have been able to use the cancelation of wIDk to compute the ciphertext termcorresponding to the unknown share. This is an essential feature of our argument: the simulatormust not be able to test semi-functionality of key k for itself by doing a test decryption on thesemi-functional ciphertext it can create. In this case, such a test will fail because the createdkey k must always be for a revoked user who cannot decrypt, otherwise the semi-functionalchallenge ciphertext cannot be created.

In summary, when T = νc1+c2 and B has guessed correctly, B has properly simulatedGamek−1. When T is random and B has guessed correctly, B has properly simulated Gamek.Thus, B can use A’s output to obtain the same advantage in distinguishing T = νc1+c2 from ran-dom that A has in distinguishing Gamek−1 from Gamek, on condition that it guesses correctly.Since this happens with probability 1

n , its overall advantage is εn , where ε is the advantage of

A.

Lemma 6. Suppose there exists an algorithm A that submits a revoked set of r users andGamerAdvA−GameFinalAdvA = ε. Then we can build an algorithm B with advantage ε in thedecision BDH game.

Proof. (This proof is essentially the same as the proof of Lemma 3 in [45], but we include itfor completeness.) B first receives an instance of the d-BDH problem: (g, gc1 , gc2 , gc3 , T ). Bmust decide whether T = e(g, g)c1c2c3 or is random. To accomplish this, B will call on A bysimulating either Gamer or GameFinal. A first sends a set S = ID1, . . . , IDr to B.

Setup B chooses random exponents a1, b, yv, yv1 , yv2 , yw, yh ∈ Zp. It sets:

g = g, gb, ga1 , ga2 = gc2 , gba1 , gba2 = (gc2)b, v = gyv , v1 = gyv1 ,

v2 = gyv2 , w = gyw , h = gyh , e(g, g)a1αb = e(gc1 , gc2)a1b.

Note that this implicitly sets a2 to the unknown value c2 and α to the unknown value c1c2. Balso computes τ1 = vva1

1 , τb1 , τ2 = v(gc2)yv2 , τ b2 and sends the public parameters to A.

22

Key Generation B must now generate semi-functional keys for ID1, . . . , IDr. For each IDi,B chooses random exponents d1, d2, z1, z2, γ

′ ∈ Zp and sets d = d1 + d2. The key elements arecomputed as:

D1 = (gc2)−γ′a1vd, D2 = (gc2)γ

′vd1g

z1 , D3 = (gb)−z1 , D4 = (gc1)a1ga1γ′vd2gz2 ,

D5 = g−bz2 , D6 = gd2b, D7 = gd1 ,K = (wIDih)d1 .

Challenge Ciphertext Once B has given A the public parameters and the keys for allelements of S = ID1, . . . , IDr, A sends B two messages M0,M1. B chooses a random valueβ ∈ 0, 1 and will create either a semi-functional ciphertext for Mβ or a semi-functionalencryption of a random message.B chooses random exponents s1, x′, t1, . . . , tr and sets t = t1+· · ·+tr. It forms the ciphertext

as:

C0 = MβTa1b, C1 = gs1b(gc3)b, C2 = gba1s1 , C3 = ga1s1 , C4 = (gc2)x

′b, C5 = (gc2)x′,

C6 = τ s11 (gc3)yv(gc2)yv2x′, C7 = (τ b1)s1(gc3)yvb(gc2)yv2x

′bw−t,

C1,1 = gt1 , C1,2 = (wID1h)t1 , . . . , Cr,1 = gtr , Cr,2 = (wIDrh)tr .

These assignments implicitly set s2 = c3 and x = −c3 + x′.If T = e(g, g)c1c2c3 , then this is a properly distributed semi-functional encryption of Mβ.

If T is random, then this is a properly distributed semi-functional encryption of a randommessage. Thus, B can use A’s output to distinguish T = e(g, g)c1c2c3 from random with thesame advantage that A has in distinguishing Gamer from GameFinal.

D Proof of Security for ABE scheme

We prove that the security of our main construction in the attribute-based selective-set modelreduces to the hardness of the q-MEBDH assumption.

Theorem 10. If an adversary can break our ABE scheme with advantage ε in the attribute-based selective-set model of security, then a simulator can be constructed to play the q-MEBDHgame with advantage ε/2.

Proof. Our proof will follow the outline of, and include much of the text from, the proofs ofprevious ABE schemes [37, 25, 35], but will incorporate the ideas from our new revocationscheme. We note that our revocation scheme, which we will use to realize “negated” attributesin our ABE scheme, is based on the q-MEDDH assumption. The technique we use to deal withordinary, non-negated attributes, is the same as [25], which was based on the BDDH assumption.To adapt that part to the q-MEDDH assumption, we note that the BDDH assumption isembedded (in many different ways) in the q-MEDDH assumption that we use. In the BDDHassumption, we are given A = ga, B = gb, gs and must distinguish e(g, g)abs from a randomelement. We will implicitly set a = α/a2

1, and b = a21. Note that in the q-MEDDH assumption,

we are given A = ga and B = gb for these settings of a and b. Below we will use A and B tomean these values.

Suppose there exists a polynomial-time adversary A that can attack our scheme in theselective-set model with advantage ε. We build a simulator B that can play the q-MEDDHgame with advantage ε/2. The simulation proceeds as follows:

The simulator begins by receiving a q-MEDDH challenge ~X,Z. Note that with probability1/2, Z = e(g, g)αs. We will denote this event as Ξ = 0. With probability 1/2, however,Z = e(g, g)z where z is a random element of Zp. We will denote this event as Ξ = 1.

23

Init The simulator B runs A. A chooses the challenge set, γ, a set of d members of Z∗p.

Setup The simulator assigns the public parameters g1 = A and g2 = B, thereby implicitlysetting α′ = α/a2

1 and α′′ = a21.

The simulator will also program the random oracle H(x) as follows. Suppose the adversaryqueries the oracle on x. If the simulator already answered such a query, it simply returns thesame answer. Otherwise, it picks a random fx ∈ Zp and responds as follows:

H(x) =

gfx if x ∈ γg2g

fx if x /∈ γ

The simulator sets up the remainder of the public key exactly as in the proof of the revocationscheme, where the revocation set S∗ = γ.

Phase 1 A adaptively makes requests for several access structures such that γ passes throughnone of them. Suppose A makes a request for the secret key for an access structure A whereA(γ) = 0. Note that by assumption, A is given as NM(A) for some monotonic access structureA, over a set P of parties (whose names will be attributes), associated with a linear secret-sharing scheme Π.

Let M be the share-generating matrix for Π: Recall, M is a matrix over Zp with ` rows andn + 1 columns. For all i = 1, . . . , `, the i’th row of M is labeled with a party named xi ∈ P,where xi is the attribute underlying xi. Note that xi can be primed (negated) or unprimed(non-negated). When we consider the column vector v = (s, r1, r2, . . . , rn), where s is the secretto be shared, and r1, . . . , rn ∈ Zp are randomly chosen, then Mv is the vector of ` shares of thesecret s according to Π.

We make use of the following well-known observation about linear secret-sharing schemes(see, e.g. [5]7): If S ⊂ P is a set of parties, then these parties can reconstruct the secret iff thecolumn vector (1, 0, 0, . . . , 0) is in the span of the rows of MS , where MS is the submatrix of Mcontaining only those rows that are labeled by a party in S. Note that since A(γ) = 0, we knowthat A(γ′) = 0, where γ′ = N(γ). Thus, we know that (1, 0, . . . , 0) is linearly independent ofthe rows of Mγ′ .

During key generation, a secret sharing of the secret α′ = a is supposed to be selected. Inthis simulation, however, we will choose this sharing (implicitly) in a slightly different manner,as we describe now: First, we pick a uniformly random vector v = (v1, . . . , vn+1) ∈ Zn+1

p . Now,we make use of the following simple proposition [2, 36] from linear algebra:

Proposition 11. A vector π is linearly independent of a set of vectors represented by a matrixN if and only if there exists a vector w such that Nw = ~0 while π · w = 1.

Since (1, 0, . . . , 0) is independent of Mγ′ , there exists a vector w = (w1, . . . , wn+1) such thatMγ′w = ~0 and (1, 0, . . . , 0) ·w = w1 = 1. Such a vector can be efficiently computed [2, 36]. Nowwe define the vector u = v + (a − v1)w. (Note that u is distributed uniformly subject to theconstraint that u1 = a.) We will implicitly use the shares ~λ = Mu. This has the property thatfor any λi such that xi ∈ γ′, we have that λi = Miu = Miv has no dependence on a.

Now that we have established how to distribute shares to “parties”, which map to negatedor non negated attributes, we need to show how to generate the key material.

We first describe how to generate decryption key material corresponding to negated partiesxi = x′i. Note that by definition, xi ∈ γ′ if and only if xi /∈ γ.

7Here, we are essentially exploiting the equivalence between linear secret-sharing schemes and monotone spanprograms, as proven in [5]. The proof in [5] is for a slightly different formulation, but applies here as well.

24

• If xi ∈ γ, then since xi /∈ γ′, we have that λi may depend linearly on a, and in generalλi = µa + θ, for some known constants µ and θ. However, by the simulator’s choices atsetup, we can invoke the proof of the revocation scheme to generate the appropriate keymaterial. Note that in our setting, the randomness ri is the name of the randomness tifrom the revocation scheme, and xi is the name of the identity IDi. Furthermore, notethat with our parameters, we have that D(3)

i = gλi2 gb2ri = gµαgb

2ri · gθα′′ . Note that gθα′′

can be generated immediately from gα′′

= ga21 which is given as part of the q-MEDDH

assumption. The remainder of the key material is generated exactly as specified in theproof of the revocation scheme (see also the remark following the key generation part ofthe proof).

• If xi /∈ γ, then since xi ∈ γ′, we have that λi is independent of any secrets and is completelyknown to the simulator. In this case, the simulator chooses ri ∈ Zp at random, and outputsthe following:

Di = (D(3)i = gλi+b

2ri2 , D

(4)i = gribxihri , D

(5)i = g−ri)

Note that the simulator can compute all these elements using elements already computedas part of the computation of the public key (gb

2, gb, h).

We now describe how to give key material corresponding to non negated parties xi = xi.The simulated key construction techniques for non negated parties is similar to previous work[25, 37].

• If xi ∈ γ, then since λi has no dependence on any unknown secrets, we simply chooseri ∈ Zp, and output Di = (D(1)

i = gλi2 ·H(xi)ri , D(2)i = gri).

• If xi /∈ γ, then we work as follows: Let g3 = gλi . Note that the simulator can compute g3using A and g. Choose r′i ∈ Zp at random, and output the components of Di as follows:

D(1)i = g

−fxi3 (g2gfxi )r

′i

D(2)i = g−1

3 gr′i

Claim 12. The simulation above produces valid decryption keys, that are furthermore distributedidentically to the decryption keys that would have been produced by the ABE scheme for the samepublic parameters.

Proof. We will establish this claim by a case analysis. For key material corresponding to negatedparties xi, this has already been verified in the proof of the revocation scheme.

For key material corresponding to non negated parties xi:

• If xi ∈ γ, then the simulation produces key material using the same procedure as the ABEscheme.

• If xi /∈ γ, then to see why the simulated key material is good, note that by our program-ming of the hash function H(x) has a g2 component for all xi /∈ γ. Now let ri = r′i − λi.Note that ri is distributed uniformly over Zp and is independent of all other variablesexcept r′i. Then,

D(1)i = g

−fxi3 (g2gfxi )r

′i

= g−λifxi (g2gfxi )r′i

= gλi2 (g2gfxi )−λi(g2gfxi )r′i

= gλi2 (g2gfxi )r′i−λi

= gλi2 H(xi)ri

25

andD

(2)i = g−1

3 gr′i = gr

′i−λi = gri

Challenge The adversary A, will submit two challenge messages M0 and M1 to the simulator.Let C denote gsgs

′, where s′ is chosen at random, and gs is as provided by the q-MEDDH

assumption. The simulator flips a fair binary coin ν, and returns an encryption of Mν . Theciphertext is output as

E =(γ,E(1) = MνZ,E

(2) = C, E(3)x = Cf(x)x∈γ , E(4)

x , E(5)x

)where E(4)

x , E(5)x are constructed exactly as Ci,1 and Ci,2, respectively, in the proof of the

revocation scheme.If Ξ = 0 then Z = e(g, g)αs. Then by inspection, the ciphertext is a valid ciphertext for the

message Mν under the set γ.Otherwise, if Ξ = 1, then Z = e(g, g)z. We then have E(1) = Mνe(g, g)z. Since z is random,

E(1) will be a random element of GT from the adversary’s viewpoint and the message containsno information about Mν .

Phase 2 The simulator acts exactly as it did in Phase 1.

Guess A will submit a guess ν ′ of ν. If ν ′ = ν the simulator will output Ξ′ = 0 to indicatethat it was given a valid q-MEDDH tuple; otherwise, it will output Ξ′ = 1 to indicate it wasgiven a random target element Z.

As shown above, the simulator’s generation of public parameters and private keys is identicalto that of the actual scheme.

In the case where Ξ = 1 the adversary gains no information about ν. Therefore, we havePr[ν 6= ν ′|Ξ = 1] = 1

2 . Since the simulator guesses Ξ′ = 1 when ν 6= ν ′, we have Pr[Ξ′ = Ξ|Ξ =1] = 1

2 .If Ξ = 0 then the adversary sees an encryption of Mν . The adversary’s advantage in this

situation is ε by assumption. Therefore, we have Pr[ν = ν ′|Ξ = 0] = 12 + ε. Since the simulator

guesses Ξ′ = 0 when ν = ν ′, we have Pr[Ξ′ = Ξ|Ξ = 0] = 12 + ε.

The overall advantage of the simulator in the q-MEDDH game is 12 Pr[Ξ′ = Ξ|Ξ = 0] +

12 Pr[Ξ′ = Ξ|Ξ = 1]− 1

2 = 12(1

2 + ε) + 12

12 −

12 = 1

2ε.

26